xref: /freebsd/lib/libpam/modules/pam_unix/pam_unix.c (revision 924226fba12cc9a228c73b956e1b7fa24c60b055)
1 /*-
2  * SPDX-License-Identifier: BSD-3-Clause
3  *
4  * Copyright 1998 Juniper Networks, Inc.
5  * All rights reserved.
6  * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
7  * All rights reserved.
8  *
9  * Portions of this software was developed for the FreeBSD Project by
10  * ThinkSec AS and NAI Labs, the Security Research Division of Network
11  * Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
12  * ("CBOSS"), as part of the DARPA CHATS research program.
13  *
14  * Redistribution and use in source and binary forms, with or without
15  * modification, are permitted provided that the following conditions
16  * are met:
17  * 1. Redistributions of source code must retain the above copyright
18  *    notice, this list of conditions and the following disclaimer.
19  * 2. Redistributions in binary form must reproduce the above copyright
20  *    notice, this list of conditions and the following disclaimer in the
21  *    documentation and/or other materials provided with the distribution.
22  * 3. The name of the author may not be used to endorse or promote
23  *    products derived from this software without specific prior written
24  *    permission.
25  *
26  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
27  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
28  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
30  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
35  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36  * SUCH DAMAGE.
37  */
38 
39 #include <sys/cdefs.h>
40 __FBSDID("$FreeBSD$");
41 
42 #include <sys/param.h>
43 #include <sys/socket.h>
44 #include <sys/time.h>
45 #include <netinet/in.h>
46 #include <arpa/inet.h>
47 
48 #include <login_cap.h>
49 #include <netdb.h>
50 #include <pwd.h>
51 #include <stdlib.h>
52 #include <string.h>
53 #include <stdio.h>
54 #include <syslog.h>
55 #include <time.h>
56 #include <unistd.h>
57 
58 #include <libutil.h>
59 
60 #ifdef YP
61 #include <ypclnt.h>
62 #endif
63 
64 #define PAM_SM_AUTH
65 #define PAM_SM_ACCOUNT
66 #define	PAM_SM_PASSWORD
67 
68 #include <security/pam_appl.h>
69 #include <security/pam_modules.h>
70 #include <security/pam_mod_misc.h>
71 
72 #define PASSWORD_HASH		"md5"
73 #define DEFAULT_WARN		(2L * 7L * 86400L)  /* Two weeks */
74 #define	SALTSIZE		32
75 
76 #define	LOCKED_PREFIX		"*LOCKED*"
77 #define	LOCKED_PREFIX_LEN	(sizeof(LOCKED_PREFIX) - 1)
78 
79 static void makesalt(char []);
80 
81 static char password_hash[] =		PASSWORD_HASH;
82 
83 #define PAM_OPT_LOCAL_PASS	"local_pass"
84 #define PAM_OPT_NIS_PASS	"nis_pass"
85 
86 /*
87  * authentication management
88  */
89 PAM_EXTERN int
90 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
91     int argc __unused, const char *argv[] __unused)
92 {
93 	login_cap_t *lc;
94 	struct passwd *pwd;
95 	int retval;
96 	const char *pass, *user, *realpw, *prompt;
97 	const char *emptypasswd = "";
98 
99 	if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) {
100 		user = getlogin();
101 	} else {
102 		retval = pam_get_user(pamh, &user, NULL);
103 		if (retval != PAM_SUCCESS)
104 			return (retval);
105 	}
106 	pwd = getpwnam(user);
107 
108 	PAM_LOG("Got user: %s", user);
109 
110 	if (pwd != NULL) {
111 		PAM_LOG("Doing real authentication");
112 		realpw = pwd->pw_passwd;
113 		if (realpw[0] == '\0') {
114 			if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) &&
115 			    openpam_get_option(pamh, PAM_OPT_NULLOK))
116 				return (PAM_SUCCESS);
117 			PAM_LOG("Password is empty, using fake password");
118 			realpw = "*";
119 		}
120 		/*
121 		 * Check whether the saved password hash matches the one
122 		 * generated from an empty password - as opposed to empty
123 		 * saved password hash, which is handled above.
124 		 */
125 		if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) &&
126 		    openpam_get_option(pamh, PAM_OPT_EMPTYOK) &&
127 		    strcmp(crypt(emptypasswd, realpw), realpw) == 0)
128 			return (PAM_SUCCESS);
129 		lc = login_getpwclass(pwd);
130 	} else {
131 		PAM_LOG("Doing dummy authentication");
132 		realpw = "*";
133 		lc = login_getclass(NULL);
134 	}
135 	prompt = login_getcapstr(lc, "passwd_prompt", NULL, NULL);
136 	retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt);
137 	login_close(lc);
138 	if (retval != PAM_SUCCESS)
139 		return (retval);
140 	PAM_LOG("Got password");
141 	if (strnlen(pass, _PASSWORD_LEN + 1) > _PASSWORD_LEN) {
142 		PAM_LOG("Password is too long, using fake password");
143 		realpw = "*";
144 	}
145 	if (strcmp(crypt(pass, realpw), realpw) == 0)
146 		return (PAM_SUCCESS);
147 
148 	PAM_VERBOSE_ERROR("UNIX authentication refused");
149 	return (PAM_AUTH_ERR);
150 }
151 
152 PAM_EXTERN int
153 pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
154     int argc __unused, const char *argv[] __unused)
155 {
156 
157 	return (PAM_SUCCESS);
158 }
159 
160 /*
161  * account management
162  */
163 PAM_EXTERN int
164 pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
165     int argc __unused, const char *argv[] __unused)
166 {
167 	struct addrinfo hints, *res;
168 	struct passwd *pwd;
169 	struct timeval tp;
170 	login_cap_t *lc;
171 	time_t warntime;
172 	int retval;
173 	const char *user;
174 	const void *rhost, *tty;
175 	char rhostip[MAXHOSTNAMELEN] = "";
176 
177 	retval = pam_get_user(pamh, &user, NULL);
178 	if (retval != PAM_SUCCESS)
179 		return (retval);
180 
181 	if (user == NULL || (pwd = getpwnam(user)) == NULL)
182 		return (PAM_SERVICE_ERR);
183 
184 	PAM_LOG("Got user: %s", user);
185 
186 	retval = pam_get_item(pamh, PAM_RHOST, &rhost);
187 	if (retval != PAM_SUCCESS)
188 		return (retval);
189 
190 	retval = pam_get_item(pamh, PAM_TTY, &tty);
191 	if (retval != PAM_SUCCESS)
192 		return (retval);
193 
194 	if (*pwd->pw_passwd == '\0' &&
195 	    (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0)
196 		return (PAM_NEW_AUTHTOK_REQD);
197 
198 	if (strncmp(pwd->pw_passwd, LOCKED_PREFIX, LOCKED_PREFIX_LEN) == 0)
199 		return (PAM_AUTH_ERR);
200 
201 	lc = login_getpwclass(pwd);
202 	if (lc == NULL) {
203 		PAM_LOG("Unable to get login class for user %s", user);
204 		return (PAM_SERVICE_ERR);
205 	}
206 
207 	PAM_LOG("Got login_cap");
208 
209 	if (pwd->pw_change || pwd->pw_expire)
210 		gettimeofday(&tp, NULL);
211 
212 	/*
213 	 * Check pw_expire before pw_change - no point in letting the
214 	 * user change the password on an expired account.
215 	 */
216 
217 	if (pwd->pw_expire) {
218 		warntime = login_getcaptime(lc, "warnexpire",
219 		    DEFAULT_WARN, DEFAULT_WARN);
220 		if (tp.tv_sec >= pwd->pw_expire) {
221 			login_close(lc);
222 			return (PAM_ACCT_EXPIRED);
223 		} else if (pwd->pw_expire - tp.tv_sec < warntime &&
224 		    (flags & PAM_SILENT) == 0) {
225 			pam_error(pamh, "Warning: your account expires on %s",
226 			    ctime(&pwd->pw_expire));
227 		}
228 	}
229 
230 	retval = PAM_SUCCESS;
231 	if (pwd->pw_change) {
232 		warntime = login_getcaptime(lc, "warnpassword",
233 		    DEFAULT_WARN, DEFAULT_WARN);
234 		if (tp.tv_sec >= pwd->pw_change) {
235 			retval = PAM_NEW_AUTHTOK_REQD;
236 		} else if (pwd->pw_change - tp.tv_sec < warntime &&
237 		    (flags & PAM_SILENT) == 0) {
238 			pam_error(pamh, "Warning: your password expires on %s",
239 			    ctime(&pwd->pw_change));
240 		}
241 	}
242 
243 	/*
244 	 * From here on, we must leave retval untouched (unless we
245 	 * know we're going to fail), because we need to remember
246 	 * whether we're supposed to return PAM_SUCCESS or
247 	 * PAM_NEW_AUTHTOK_REQD.
248 	 */
249 
250 	if (rhost && *(const char *)rhost != '\0') {
251 		memset(&hints, 0, sizeof(hints));
252 		hints.ai_family = AF_UNSPEC;
253 		if (getaddrinfo(rhost, NULL, &hints, &res) == 0) {
254 			getnameinfo(res->ai_addr, res->ai_addrlen,
255 			    rhostip, sizeof(rhostip), NULL, 0,
256 			    NI_NUMERICHOST);
257 		}
258 		if (res != NULL)
259 			freeaddrinfo(res);
260 	}
261 
262 	/*
263 	 * Check host / tty / time-of-day restrictions
264 	 */
265 
266 	if (!auth_hostok(lc, rhost, rhostip) ||
267 	    !auth_ttyok(lc, tty) ||
268 	    !auth_timeok(lc, time(NULL)))
269 		retval = PAM_AUTH_ERR;
270 
271 	login_close(lc);
272 
273 	return (retval);
274 }
275 
276 /*
277  * password management
278  *
279  * standard Unix and NIS password changing
280  */
281 PAM_EXTERN int
282 pam_sm_chauthtok(pam_handle_t *pamh, int flags,
283     int argc __unused, const char *argv[] __unused)
284 {
285 #ifdef YP
286 	struct ypclnt *ypclnt;
287 	const void *yp_domain, *yp_server;
288 #endif
289 	char salt[SALTSIZE + 1];
290 	login_cap_t *lc;
291 	struct passwd *pwd, *old_pwd;
292 	const char *user, *old_pass, *new_pass;
293 	char *encrypted;
294 	time_t passwordtime;
295 	int pfd, tfd, retval;
296 
297 	if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF))
298 		user = getlogin();
299 	else {
300 		retval = pam_get_user(pamh, &user, NULL);
301 		if (retval != PAM_SUCCESS)
302 			return (retval);
303 	}
304 	pwd = getpwnam(user);
305 
306 	if (pwd == NULL)
307 		return (PAM_AUTHTOK_RECOVERY_ERR);
308 
309 	PAM_LOG("Got user: %s", user);
310 
311 	if (flags & PAM_PRELIM_CHECK) {
312 
313 		PAM_LOG("PRELIM round");
314 
315 		if (getuid() == 0 &&
316 		    (pwd->pw_fields & _PWF_SOURCE) == _PWF_FILES)
317 			/* root doesn't need the old password */
318 			return (pam_set_item(pamh, PAM_OLDAUTHTOK, ""));
319 #ifdef YP
320 		if (getuid() == 0 &&
321 		    (pwd->pw_fields & _PWF_SOURCE) == _PWF_NIS) {
322 
323 			yp_domain = yp_server = NULL;
324 			(void)pam_get_data(pamh, "yp_domain", &yp_domain);
325 			(void)pam_get_data(pamh, "yp_server", &yp_server);
326 
327 			ypclnt = ypclnt_new(yp_domain, "passwd.byname", yp_server);
328 			if (ypclnt == NULL)
329 				return (PAM_BUF_ERR);
330 
331 			if (ypclnt_connect(ypclnt) == -1) {
332 				ypclnt_free(ypclnt);
333 				return (PAM_SERVICE_ERR);
334 			}
335 
336 			retval = ypclnt_havepasswdd(ypclnt);
337 			ypclnt_free(ypclnt);
338 			if (retval == 1)
339 				return (pam_set_item(pamh, PAM_OLDAUTHTOK, ""));
340 			else if (retval == -1)
341 				return (PAM_SERVICE_ERR);
342 		}
343 #endif
344 		if (pwd->pw_passwd[0] == '\0'
345 		    && openpam_get_option(pamh, PAM_OPT_NULLOK)) {
346 			/*
347 			 * No password case. XXX Are we giving too much away
348 			 * by not prompting for a password?
349 			 * XXX check PAM_DISALLOW_NULL_AUTHTOK
350 			 */
351 			old_pass = "";
352 			retval = PAM_SUCCESS;
353 		} else {
354 			retval = pam_get_authtok(pamh,
355 			    PAM_OLDAUTHTOK, &old_pass, NULL);
356 			if (retval != PAM_SUCCESS)
357 				return (retval);
358 		}
359 		PAM_LOG("Got old password");
360 		/* always encrypt first */
361 		encrypted = crypt(old_pass, pwd->pw_passwd);
362 		if (old_pass[0] == '\0' &&
363 		    !openpam_get_option(pamh, PAM_OPT_NULLOK))
364 			return (PAM_PERM_DENIED);
365 		if (strcmp(encrypted, pwd->pw_passwd) != 0)
366 			return (PAM_PERM_DENIED);
367 	}
368 	else if (flags & PAM_UPDATE_AUTHTOK) {
369 		PAM_LOG("UPDATE round");
370 
371 		retval = pam_get_authtok(pamh,
372 		    PAM_OLDAUTHTOK, &old_pass, NULL);
373 		if (retval != PAM_SUCCESS)
374 			return (retval);
375 		PAM_LOG("Got old password");
376 
377 		/* get new password */
378 		for (;;) {
379 			retval = pam_get_authtok(pamh,
380 			    PAM_AUTHTOK, &new_pass, NULL);
381 			if (retval != PAM_TRY_AGAIN)
382 				break;
383 			pam_error(pamh, "Mismatch; try again, EOF to quit.");
384 		}
385 		PAM_LOG("Got new password");
386 		if (retval != PAM_SUCCESS) {
387 			PAM_VERBOSE_ERROR("Unable to get new password");
388 			return (retval);
389 		}
390 
391 		if (getuid() != 0 && new_pass[0] == '\0' &&
392 		    !openpam_get_option(pamh, PAM_OPT_NULLOK))
393 			return (PAM_PERM_DENIED);
394 
395 		if ((old_pwd = pw_dup(pwd)) == NULL)
396 			return (PAM_BUF_ERR);
397 
398 		lc = login_getclass(pwd->pw_class);
399 		if (login_setcryptfmt(lc, password_hash, NULL) == NULL)
400 			openpam_log(PAM_LOG_ERROR,
401 			    "can't set password cipher, relying on default");
402 
403 		/* set password expiry date */
404 		pwd->pw_change = 0;
405 		passwordtime = login_getcaptime(lc, "passwordtime", 0, 0);
406 		if (passwordtime > 0)
407 			pwd->pw_change = time(NULL) + passwordtime;
408 
409 		login_close(lc);
410 		makesalt(salt);
411 		pwd->pw_passwd = crypt(new_pass, salt);
412 #ifdef YP
413 		switch (old_pwd->pw_fields & _PWF_SOURCE) {
414 		case _PWF_FILES:
415 #endif
416 			retval = PAM_SERVICE_ERR;
417 			if (pw_init(NULL, NULL))
418 				openpam_log(PAM_LOG_ERROR, "pw_init() failed");
419 			else if ((pfd = pw_lock()) == -1)
420 				openpam_log(PAM_LOG_ERROR, "pw_lock() failed");
421 			else if ((tfd = pw_tmp(-1)) == -1)
422 				openpam_log(PAM_LOG_ERROR, "pw_tmp() failed");
423 			else if (pw_copy(pfd, tfd, pwd, old_pwd) == -1)
424 				openpam_log(PAM_LOG_ERROR, "pw_copy() failed");
425 			else if (pw_mkdb(pwd->pw_name) == -1)
426 				openpam_log(PAM_LOG_ERROR, "pw_mkdb() failed");
427 			else
428 				retval = PAM_SUCCESS;
429 			pw_fini();
430 #ifdef YP
431 			break;
432 		case _PWF_NIS:
433 			yp_domain = yp_server = NULL;
434 			(void)pam_get_data(pamh, "yp_domain", &yp_domain);
435 			(void)pam_get_data(pamh, "yp_server", &yp_server);
436 			ypclnt = ypclnt_new(yp_domain,
437 			    "passwd.byname", yp_server);
438 			if (ypclnt == NULL) {
439 				retval = PAM_BUF_ERR;
440 			} else if (ypclnt_connect(ypclnt) == -1 ||
441 			    ypclnt_passwd(ypclnt, pwd, old_pass) == -1) {
442 				openpam_log(PAM_LOG_ERROR, "%s", ypclnt->error);
443 				retval = PAM_SERVICE_ERR;
444 			} else {
445 				retval = PAM_SUCCESS;
446 			}
447 			ypclnt_free(ypclnt);
448 			break;
449 		default:
450 			openpam_log(PAM_LOG_ERROR, "unsupported source 0x%x",
451 			    pwd->pw_fields & _PWF_SOURCE);
452 			retval = PAM_SERVICE_ERR;
453 		}
454 #endif
455 		free(old_pwd);
456 	}
457 	else {
458 		/* Very bad juju */
459 		retval = PAM_ABORT;
460 		PAM_LOG("Illegal 'flags'");
461 	}
462 
463 	return (retval);
464 }
465 
466 /* Mostly stolen from passwd(1)'s local_passwd.c - markm */
467 
468 static unsigned char itoa64[] =		/* 0 ... 63 => ascii - 64 */
469 	"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
470 
471 static void
472 to64(char *s, long v, int n)
473 {
474 	while (--n >= 0) {
475 		*s++ = itoa64[v&0x3f];
476 		v >>= 6;
477 	}
478 }
479 
480 /* Salt suitable for traditional DES and MD5 */
481 static void
482 makesalt(char salt[SALTSIZE + 1])
483 {
484 	int i;
485 
486 	/* These are not really random numbers, they are just
487 	 * numbers that change to thwart construction of a
488 	 * dictionary.
489 	 */
490 	for (i = 0; i < SALTSIZE; i += 4)
491 		to64(&salt[i], arc4random(), 4);
492 	salt[SALTSIZE] = '\0';
493 }
494 
495 PAM_MODULE_ENTRY("pam_unix");
496